From patchwork Sat Oct  4 20:29:57 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Grant Likely <grant.likely@linaro.org>
X-Patchwork-Id: 38350
Return-Path: <patchwork-forward+bncBCJP567ORICBB7NRYGQQKGQEWMGFOUY@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f199.google.com (mail-lb0-f199.google.com
 [209.85.217.199])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 98DBD203AD
 for <linaro@patches.linaro.org>; Sat,  4 Oct 2014 20:30:54 +0000 (UTC)
Received: by mail-lb0-f199.google.com with SMTP id w7sf1693397lbi.10
 for <linaro@patches.linaro.org>; Sat, 04 Oct 2014 13:30:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=DyeEujRnz9/7DZWXmmmq3gP8JyrNPkM8W54E7WsVKkQ=;
 b=l2jg5ulBiJzy3BaDNraKU7nSnvLZkL+tQ4mEUwXStmnwv6GdGP9sjUOGEYiXvh3KgL
 OUJUEPezppLdmbdGR3MSZZV7kf98G3qVmjJ2CMprdq9LTyp/JrL9Ok50CrZaXrFz4D0I
 BWaGAbkQF4v9RqJAVf5jIyF/pvx+iXe8dPCKK5IHg+2JJCksypkyTK+fzkes293DWvlG
 jGBhwcr505mt1i41o88l6Ap520lltOkp/GTPhQ/G6r8i7zTBb7cZ7JjrRMmK3CZJTA6Q
 ENMEbElsaR6BTqqqcjAg4pROQBJbeyBy/HeqrG55x8QHUvPxerXhGrY69l5q+kiFfvDR
 0LPw==
X-Gm-Message-State: ALoCoQltB7OTo8bJ2ZwzsbcaI9ZHSvAAjfEqayf0D3bW4BRtfGEtq0cTCeXEi042ZAX7Ial78EMC
X-Received: by 10.152.26.225 with SMTP id o1mr2245242lag.4.1412454653297;
 Sat, 04 Oct 2014 13:30:53 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.22.37 with SMTP id a5ls466407laf.42.gmail; Sat, 04 Oct
 2014 13:30:53 -0700 (PDT)
X-Received: by 10.152.23.199 with SMTP id o7mr14773371laf.26.1412454653059; 
 Sat, 04 Oct 2014 13:30:53 -0700 (PDT)
Received: from mail-la0-f46.google.com (mail-la0-f46.google.com
 [209.85.215.46]) by mx.google.com with ESMTPS id
 cy2si17154924lac.26.2014.10.04.13.30.52
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sat, 04 Oct 2014 13:30:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.46 as permitted sender) client-ip=209.85.215.46; 
Received: by mail-la0-f46.google.com with SMTP id gi9so2631377lab.5
 for <patchwork-forward@linaro.org>;
 Sat, 04 Oct 2014 13:30:52 -0700 (PDT)
X-Received: by 10.153.7.73 with SMTP id da9mr13192567lad.56.1412454652856;
 Sat, 04 Oct 2014 13:30:52 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.130.169 with SMTP id of9csp76212lbb;
 Sat, 4 Oct 2014 13:30:52 -0700 (PDT)
X-Received: by 10.69.18.235 with SMTP id gp11mr14887700pbd.89.1412454651299; 
 Sat, 04 Oct 2014 13:30:51 -0700 (PDT)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 pl6si7343357pdb.111.2014.10.04.13.30.50 for <multiple recipients>;
 Sat, 04 Oct 2014 13:30:51 -0700 (PDT)
Received-SPF: none (google.com: devicetree-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1750967AbaJDUau (ORCPT <rfc822;patch@linaro.org> + 5 others);
 Sat, 4 Oct 2014 16:30:50 -0400
Received: from mail-wi0-f175.google.com ([209.85.212.175]:47497 "EHLO
 mail-wi0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1750938AbaJDUat (ORCPT
 <rfc822; devicetree@vger.kernel.org>); Sat, 4 Oct 2014 16:30:49 -0400
Received: by mail-wi0-f175.google.com with SMTP id d1so1538294wiv.8
 for <devicetree@vger.kernel.org>;
 Sat, 04 Oct 2014 13:30:48 -0700 (PDT)
X-Received: by 10.194.58.108 with SMTP id p12mr17847842wjq.71.1412454648272; 
 Sat, 04 Oct 2014 13:30:48 -0700 (PDT)
Received: from trevor.secretlab.ca
 (host86-166-87-213.range86-166.btcentralplus.com. [86.166.87.213])
 by mx.google.com with ESMTPSA id
 cy10sm11897672wjb.21.2014.10.04.13.30.47 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 04 Oct 2014 13:30:47 -0700 (PDT)
Received: by trevor.secretlab.ca (Postfix, from userid 1000)
 id 6166AC41868; Sat,  4 Oct 2014 13:30:11 -0700 (PDT)
From: Grant Likely <grant.likely@linaro.org>
To: devicetree@vger.kernel.org
Cc: Grant Likely <grant.likely@linaro.org>,
 Gaurav Minocha <gaurav.minocha.os@gmail.com>
Subject: [PATCH v2 1/6] of: Fix NULL dereference in selftest removal code
Date: Sat,  4 Oct 2014 21:29:57 +0100
Message-Id: <1412454602-28518-1-git-send-email-grant.likely@linaro.org>
X-Mailer: git-send-email 1.9.1
Sender: devicetree-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: devicetree@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: grant.likely@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.46 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

The selftest code removes its testcase data from the live tree when
exiting, but if the testcases data tree contains an empty child of the
root, then it causes an oops due to a NULL dereference. The reason is
that the code tries to directly dereference the child pointer without
checking first if a child is actually there.

The solution is to pass the parent node into detach_node_and_children()
instead of trying to pass the child. This required removing the code
that attempts to remove all of the sibling nodes in
detach_node_and_children(), which was never sensible in the first place.

At the same time add a check to make sure the bounds of the nodes list
are not exceeded by the testdata tree. If they are then abort.

Signed-off-by: Grant Likely <grant.likely@linaro.org>
Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com>
---
 drivers/of/selftest.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/of/selftest.c b/drivers/of/selftest.c
index a737cb5974de..883e60b04eb5 100644
--- a/drivers/of/selftest.c
+++ b/drivers/of/selftest.c
@@ -637,6 +637,8 @@ static int attach_node_and_children(struct device_node *np)
 	dup = np;
 
 	while (dup) {
+		if (WARN_ON(last_node_index >= NO_OF_NODES))
+			return -EINVAL;
 		nodes[last_node_index++] = dup;
 		dup = dup->sibling;
 	}
@@ -717,10 +719,6 @@ static void detach_node_and_children(struct device_node *np)
 {
 	while (np->child)
 		detach_node_and_children(np->child);
-
-	while (np->sibling)
-		detach_node_and_children(np->sibling);
-
 	of_detach_node(np);
 }
 
@@ -749,8 +747,7 @@ static void selftest_data_remove(void)
 		if (nodes[last_node_index]) {
 			np = of_find_node_by_path(nodes[last_node_index]->full_name);
 			if (strcmp(np->full_name, "/aliases") != 0) {
-				detach_node_and_children(np->child);
-				of_detach_node(np);
+				detach_node_and_children(np);
 			} else {
 				for_each_property_of_node(np, prop) {
 					if (strcmp(prop->name, "testcase-alias") == 0)